If you have a wireless network and your friend brings over his
computer, how do you let them on your network as a guest without giving
out your wireless encryption key?

•

Time for my most popular ... no, my most common, answer:

It depends.

It depends on how much you trust your friend.

And since you don't want to share your wireless encryption key, I'm
going to assume that while you probably trust your friend to a point,
there's clearly a limit.

•

If you trust someone completely, then when it comes to your home
network you just give them the WPA encryption key. (As an aside: good
for you for using an encryption key to keep your wireless connection
safe.) (As a second aside: you're not using WEP, right? That's no
longer secure; use WPA.)

Unfortunately most wireless equipment is set up to operate at either
one extreme or the other: require an encryption key to connect, or let
anyone connect. You don't want to hand out your key, so your friend
can't connect that way, and you don't want to reconfigure your wireless
access point to remove all security, so you can't allow him to connect
that way either.

"In a nutshell, 'split' your internet connection
using a hub or a switch ..."

It's not a simple problem to solve.

If you trust your friend "sort of" you could allow him to connect to
your network via a wired cable. No encryption key is needed, and it's
likely you already have an open port on your router available. The
risk is that he's on your network at all. If you don't have
firewalls on all your machines (common, if you're using a router as
your single firewall for all) then his machine could carry malware that
might travel to your machines, or he might even be able to poke around
on your network in ways that you might not want him to.

Honestly, if there's a question of trust at all, I don't recommend
it. There are just too many things that could go wrong.

So what do you do instead?

More hardware.

In a nutshell, "split" your internet connection using a hub or a
switch (or a router) before it reaches your router, and put all of your
equipment on one side protected behind your router, and then everyone
else - your guest for example - on the other side:

This example above assumes that your ISP will give you more than one
IP address - one for your router, and one for your guest. If that's not
the case you'll need to replace the hub/switch in the example with
another router.

Here's the same setup, using wireless connections:

Here you can see that the router on the left, your existing router I
might add, continues to use a WPA key for wireless encryption. The
router on the right is dedicated to your guests use, and can either be
a completely open (no encryption, no key needed) hotspot that anyone
can connect to, or you can set it up to use a different WPA key that
you don't mind sharing with your guests.

Using this setup, the two separate networks are isolated from each
other. Neither can "sniff" the other's traffic, and neither can access
the other's machines.

For the record, this is what I have in my own home: a private
wireless network secured by WPA, and then a separate guest network that
is open to anyone within range.

And as a fairly interesting side note, we are starting to see
equipment that effectively bundles the equivalent of two routers and
wireless access points into a single box, for exactly this
scenario.

Now, there's one final gotcha, that is once again a matter of
trust.

Remember that your guest is using your internet connection.
If they happen to do something, say, illegal ... it can be traced by
law enforcement, and that trace would lead to you as the owner of that
connection. I'm guessing at that point you'd have some explaining to
do.

Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.

MAC addresses are not encrypted even on encrypted connections, (technically they're used at a layer below encrypted data), so all one needs to do is sniff the network, pick one of the MAC addresses that are obviously allowed to pass through, and choose that to spoof.

And data on your ethernet cable isn't being broadcast to a 300 ft radius of your wireless connection. :-)

- Leo17-Apr-2009

Craig Fisher
April 18, 2009 3:39 PM

Leo: thanks for clarifying the pitfall of MAC address filtering.
And point taken about WiFI being broadcast, but the discussion was in the context of allowing friends onto your LAN.

My point about WiFi is that you should not remove encryption simply to allow a guest to connect. If you need encryption, you need encryption.

- Leo19-Apr-2009

hkbs
April 21, 2009 10:42 AM

Thanks for that info, Leo. May I ask what to look for to obtain a hub/switch.

Rich Deem
April 21, 2009 3:13 PM

I have a DSL Router. The original one died and the computer store people (Best Buy) suggested I replace it with another one from Verizon. It still uses WEP and can't, apparently, use WPA. As a DSL user are we stuck with old technology? What about FIOS fiber optic? If its router dies, can you buy a better one?

This has nothing to do with DSL or FIOS or whatever technology you connect to the internet with. This is all about the router itself, nothing more nothing less. I'd check with your ISP for what your options really are, I can't believe they'd force a WEP-only router on you. In many cases they don't give or specify a router - they provide a modem which you then connect to whatever router you like.

- Leo22-Apr-2009

avoidz
April 21, 2009 9:29 PM

I have a wireless gateway with four ports at the back, so if a friend brings over a notebook or whatever I just hook it up with a length of network cable. Much easier and quicker than configuring the wireless connection.

Andy
June 24, 2010 3:21 AM

In scenario 2, would it be possible to use a G- series router for the guests' usage without it affecting my encrypted N-series router? I remember reading previously that older router versions (ie G-series) can negatively affect the performance of newer ones. What effect can this have on wireless performance?

•

Comments on this entry are closed.

If you have a question, start by using the search box up at the
top of the page - there's a very good chance that
your question has already been answered on Ask Leo!.